ccusage — agentic threat model
ccusage is a low-risk, deterministic local utility for tracking Claude Code token usage. Its primary security risks are local, stemming from potential log injection vulnerabilities or dependency compromises within the developer's local environment.
OWASP AIVSS score rationale
| Autonomy of Action | 0.10 | |
| Goal-Driven Planning | 0.00 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.10 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.20 | |
| Dynamic Identity | 0.00 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.00 | |
| Opacity & Reflexivity | 0.10 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The tool itself is a local script that reads JSONL logs and does not appear to directly run or query a foundation model, though it integrates with Claude Code which does.
Reads local Claude Code JSONL usage logs. Threat includes reading malformed or maliciously crafted JSONL transcripts (log injection) which could lead to parsing vulnerabilities or path traversal if log paths are manipulated.
Exposes a `ccusage statusline` command designed to be wired into Claude Code's statusLine hook. Vulnerabilities in the hook integration or command execution could allow local command injection or execution of arbitrary code if the statusline hook is compromised.
Runs locally on the user's machine. The primary threat is local privilege escalation or unauthorized local file access if the script is run with elevated privileges or if its dependencies are compromised.
Acts as an observability tool tracking token usage and costs. Threats include evasion of cost tracking via manipulated logs, or inaccurate reporting due to log tampering, leading to unexpected API billing.
Operates locally without requiring API keys, reducing credential exposure. However, there is no explicit mention of access controls or input validation on the JSONL files it parses.
Commonly embedded in other statusline plugins and integrates with Claude Code. A compromise in this tool could propagate to other statusline plugins or the broader Claude Code environment.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).